Abstract

In a secret-sharing scheme, the secret is shared among a set of shareholders, and it can be reconstructed if a quorum of these shareholders work together by releasing their secret shares. However, in many applications, it is undesirable for nonshareholders to learn the secret. In these cases, pairwise secure channels are needed among shareholders to exchange the shares. In other words, a shared key needs to be established between every pair of shareholders. But employing an additional key establishment protocol may make the secret-sharing schemes significantly more complicated. To solve this problem, we introduce a new type of secret-sharing, called protected secret-sharing (PSS), in which the shares possessed by shareholders not only can be used to reconstruct the original secret but also can be used to establish the shared keys between every pair of shareholders. Therefore, in the secret reconstruction phase, the recovered secret is only available to shareholders but not to nonshareholders. In this paper, an information theoretically secure PSS scheme is proposed, its security properties are analyzed, and its computational complexity is evaluated. Moreover, our proposed PSS scheme also can be applied to threshold cryptosystems to prevent nonshareholders from learning the output of the protocols.

1. Introduction

Secret-sharing schemes, first introduced by Shamir [1] and Blakley [2] in 1979, are very important techniques to ensure secrecy and availability of sensitive information. Moreover, they are widely used as building blocks in various cryptographic protocols, such as threshold cryptosystems, attribute-based encryption, and multiparty computation. In a threshold secret-sharing scheme, the secret is divided into shares so that it can only be recovered with or more than shares, but fewer than shares cannot reveal any information of the secret. In the past few decades, many secret-sharing schemes have been proposed in the literature, and three major approaches can be used to design them: Shamir’s approach [1] based on the univariate polynomial, Blakely’s approach [2] based on the hyperplane geometry, and Mignotte/Asmuth-Bloom approach [3, 4] based on the Chinese Remainder Theorem (CRT).

In the majority of existing secret-sharing schemes, it is simply assumed that shares are released by the shareholders in the secret reconstruction phase, and then anyone can reconstruct the secret using these revealed shares. But, in many cases, it is undesirable for nonshareholders to learn the secret. Considering the scenario where a famous billionaire sets up the will and shares it among his children using secret-sharing, the children are told that the will should not be read when the billionaire is alive and its contents should be kept strictly private among the family members. However, some paparazzi may want to learn the will after the billionaire passes away to make some head news. In this case, traditional secret-sharing schemes may not provide sufficient protection. To solve this problem, shareholders can use pairwise secure channels to exchange the shares so that the recovered secret is only available to shareholders but not to nonshareholders. If these secure channels are built using cryptographic methods, a shared key is required to be established between every pair of shareholders beforehand. However, employing an additional key establishment protocol may make the secret-sharing schemes significantly more complicated.

The same problem also arises if secret-sharing schemes are used as building blocks in some other cryptographic protocols. For example, threshold cryptography, first introduced by Desmedt [5], is the application of secret-sharing with public-key algorithms. Among various threshold cryptosystems, some are based on ElGamal [6, 7], some are based on RSA [811], some are based on Elliptic Curves [12, 13], and some are based on Pairing [14]. In these protocols, shares are either used to generate a digital signature or used to decrypt a ciphertext. To prevent any nonshareholder from learning the outputs of the protocol, a shared key is also needed between every pair of shareholders. Similarly, employing an additional key establishment protocol in threshold cryptosystems can complicate the process significantly.

In this paper, we use bivariate polynomials to propose a new type of secret-sharing scheme, called protected secret-sharing (PSS), in which shareholders can use their shares to achieve two purposes simultaneously: one is to reconstruct the original secret and the other is to establish a shared key between every pair of shareholders. Using these shared keys, shareholders can build pairwise secure channels among them to exchange the shares in the secret reconstruction phase. Therefore, PSS provides an efficient solution to protect the original secret from nonshareholders. Our proposed scheme is information theoretically secure, and it can be easily extended to threshold cryptosystems for the same purpose.

Note that although bivariate polynomials have been used to design many different types of secret-sharing schemes in the literature, for example, verifiable secret-sharing (VSS) [1517], pairwise key distribution [1821], and dynamic secret-sharing [22], the purpose of this work is different from the previous ones, and the types of employed bivariate polynomials are different as well.

The rest of paper is organized as follows. In Section 2, we review some secret-sharing schemes based on polynomials. In Section 3, we present the models for PSS, including the system model, the adversary model, and the security goals. Our proposed PSS scheme based on bivariate polynomials is introduced in Section 4. Its security and complexity analysis is described in Section 5. Finally, we conclude the paper in Section 6.

2. Review of Secret-Sharing Schemes Based on Polynomials

Shamir’s secret-sharing scheme [1] is based on univariate polynomials. The dealer first randomly selects a polynomial over with degree at most , where is the secret. Then the dealer evaluates the polynomial at different points to generate the shares for . Here, is a large prime with , and is some public information associated with each shareholder. In what follows in this paper, we assume that all computations are modulo unless otherwise stated.

In 1985, Chor et al. [23] have extended the notion of secret-sharing and they have proposed the first verifiable secret-sharing (VSS) scheme. The verifiability property allows shareholders to verify the validity of their received shares. If invalid shares were found, shareholders can request the dealer to regenerate new shares. In the literature, several   VSS schemes [15, 16, 2427] are designed using bivariate polynomials. A bivariate polynomial with degree at most can be represented aswhere , . If the coefficients satisfy , , such a polynomial is called a symmetric bivariate polynomial. Otherwise, it is called an asymmetric bivariate polynomial. In these VSS schemes, the dealer uses a symmetric bivariate polynomial to generate shares for the shareholders, where . Each share is a univariate polynomial with degree at most . Note that since , , a pairwise key can be established between the shareholders and . Therefore, a symmetric bivariate polynomial can enable two shareholders to establish a pairwise shared key.

3. Models for Protected Secret-Sharing

3.1. System Model

Definition 1 (protected secret-sharing (PSS)). In a PSS, the received shares by shareholders can be used to serve two purposes simultaneously: (a) reconstruct the original secret and (b) establish pairwise shared keys among shareholders (note that these pairwise shared keys are used to build a secure channel between every pair of shareholders in order to exchange the shares in the secret reconstruction phase. Therefore, the reconstructed secret can be protected from any nonshareholder).

The players in our proposed scheme include a trusted dealer , shareholders , and some insider or outsider adversaries. We assume that all these players have unlimited computational power. Among the shareholders, at least a portion of them are assumed to be honest.

We assume that there exists a secure channel between the dealer and every shareholder, so that the shares can be securely distributed to shareholders. Moreover, we assume that every player is connected to a common authenticated broadcast channel , so that any message sent through can be heard by the other players. The adversaries cannot modify messages sent by an honest player through , and they cannot prevent honest players from receiving messages from . Note that these assumptions are widely used in existing secret-sharing schemes. With these assumptions, we can focus our discussion on the key aspects of PSS without digging into the low level of technical details. Our purpose is to provide an efficient way to establish additional pairwise secret channels among shareholders without invoking a separate key establishment protocol.

Our proposed PSS scheme consists of two phases: (i) share generation and distribution by the dealer and (ii) secret reconstruction by shareholders. During the share generation and distribution phase, the dealer selects a random asymmetric bivariate polynomial to generate the shares for each shareholder, and every share consists of two univariate polynomials. These shares are sent to shareholders through the secure channels. During the secret reconstruction phase, each shareholder first uses her share to compute pairwise shared keys with the other shareholders. With these shared keys, pairwise secure channels can be established among the shareholders. After receiving the shares from the other shareholders through these secure channels, each shareholder can recover the original secret without leaking it to any nonshareholder.

3.2. Adversary Model

We consider two types of adversaries in the proposed PSS scheme.

(i) Insider Adversary. The insider adversary is a legitimate shareholder who owns a share generated by the dealer. An insider adversary may work alone or collude with some other insider adversaries to learn the secret before it is supposed to be reconstructed or to recover invalid secret using fake shares. Note that when the secret is reconstructed, we assume that the insider adversaries can learn the secret, but they will not leak the secret to nonshareholders, for example, the outsider adversaries.

(ii) Outsider Adversary. The outsider adversary is an attacker who does not own any share generated by the dealer, but she may try to learn the secret that she is unauthorized to access. Note that this attack is possible in many existing secret-sharing schemes when the shares are exchanged in an insecure fashion during the secret reconstruction phase.

3.3. Security Goals

In the security analysis, we demonstrate that the following security goals are satisfied in the proposed PSS scheme based on our assumptions.

Definition 2 (correctness). If there exist a portion of honest shareholders, the correct secret can always be reconstructed. And any insider adversary who uses fake share in the share reconstruction phase can be identified.

Definition 3 (secrecy). If there exist a portion of honest shareholders, the insider adversaries cannot learn any information of the secret before the secret is supposed to be reconstructed. Moreover, in the secret reconstruction phase, the traffic flows over the broadcast channel reveal no information of the secret to the outsider adversary.

Note that the proposed PSS scheme aims to achieve information theoretical security. Hence, both of the above security goals do not rely on any computational assumption.

4. The Proposed PSS Scheme

In this section, we propose a PSS scheme using asymmetric bivariate polynomials. There are two major differences between shares generated by a univariate polynomial and by a bivariate polynomial: (1) the shares generated by a univariate polynomial are integers in , but shares generated by a bivariate polynomial are univariate polynomials over ; (2) the shares generated by a univariate polynomial can only be used to reconstruct the secret, but the shares generated by a bivariate polynomial not only can be used to reconstruct the secret but also can be used to establish pairwise keys among shareholders.

4.1. Share Generation and Distribution Phase

At first, the dealer selects a random asymmetric polynomial: where is with degree at most in and with degree at most in (i.e., ; we will explain this condition in the security analysis), where is the secret, , and is a large prime integer with . The dealer computes a pair of shares and for each shareholder , where is the public information associated with the corresponding shareholder . The dealer sends the pair of shares to each shareholder through the secure channel.

4.2. Secret Reconstruction Phase

Without loss of generality, assume that (i.e., ) shareholders are participating in the secret reconstruction phase:(1)Between every pair of shareholders, they compute two shared keys. For example, the shareholders and (i.e., we assume that ) can compute the shared keys as and .(2)Each shareholder then uses her share to compute a Lagrange Component as (3)For each pair of shareholders, they use their shared keys to build a secure channel and then use this channel to exchange their Lagrange Components. For example, the shareholder computes , where denotes the one-time pad encryption of using the key , and sends to the shareholder through the authenticated broadcast channel . Similarly, encrypts her share by one-time pad using the shared key and sends to using the authenticated channel .(4)After receiving the ciphertexts for , the shareholder can decrypt them individually as , where denotes the decryption of using the key .(5)Finally, each shareholder computes the secret as .

5. Security and Complexity Analysis

In this section, we first prove the correctness and secrecy of the proposed scheme; that is, neither type of adversaries can achieve its objectives based on our assumptions. Then, we briefly analyze the complexity of the proposed scheme.

5.1. Security Analysis

Theorem 4. The proposed scheme achieves the correctness property. That is, if there exist a portion of honest shareholders, the correct secret can always be reconstructed. And any dishonest shareholder who uses fake share in the share reconstruction phase can be identified.

Proof. To prove this theorem, we first consider the situation that there are no dishonest shareholders. Then we justify why less than a portion of dishonest shareholders cannot prevent the correct secret from being reconstructed. In step  2 of the secret reconstruction phase, each shareholder uses her share to compute the Lagrange Component of the secret as Since is a univariate polynomial with degree at most , the secret can be obtained in step  5 through Lagrange Interpolation as Therefore, if all shareholders are honest, the correct secret can be reconstructed. However, if there exist some dishonest shareholders, they may use fake shares in the secret reconstruction phase. In the proposed PSS scheme, the secret can be reconstructed by any subset of or more than shareholders. Hence, we assume that there are at most dishonest shareholders. Otherwise, the dishonest shareholders working together will have the ability to reconstruct the secret. In this case, any polynomial that passes points agrees at most points and it disagrees at least points. In other words, these polynomials have a Hamming distance , and this distance can correct any number of errors that is less than according to Coding Theory. Therefore, if , the correct secret can always be reconstructed. Note that is another form of this inequality. To speed up the decoding process, either the Euclidean decoder or the Berlekamp-Massey decoder can be used. Moreover, if the correct secret is determined, the invalid shares can be identified as well. This is because any subset that contains invalid shares will interpolate into an incorrect secret.

Theorem 5. The proposed scheme satisfies the secrecy property. That is, the outsider adversaries cannot obtain any information of the secret. Moreover, if there exist a portion of honest shareholders and the condition holds, then or more than shares can recover the secret, but fewer than shares cannot reveal any information of the secret.

Proof. Although the shareholders exchange information through the authenticated broadcast channel in the secret reconstruction phase, all messages are encrypted. Based on the assumption that the asymmetric polynomial is randomly selected over by the dealer , the messages and the shared keys are all randomly distributed within the same space . Moreover, since the messages are exchanged only once, one-time pad can be used here to encrypt these messages. Therefore, even if the outsider adversary has unlimited computational power, she cannot obtain any information of the secret. Next, we prove that if and , the insider adversaries cannot learn the secret before it is reconstructed. Regarding the first inequality, it just simply states that there should be a majority of honest shareholders. Otherwise, the dishonest shareholders will have all the abilities that the honest ones have, that is, reconstruct the secret. Note that this requirement is widely used in most of the existing secret-sharing schemes. Regarding the second inequality, recall that the polynomial is an asymmetric polynomial of degree in and degree in . It contains different coefficient. In the proposed scheme, each share contains two univariate polynomials with degree in and degree in , respectively. In other words, each shareholder can use her share to establish at most linearly independent equations in terms of the coefficients of the bivariate polynomial . When there are colluded shareholders with their shares together, they can establish a total of linearly independent equations. If the number of coefficients of the bivariate polynomial is larger than the number of equations available to the colluded shareholders, that is, , the dishonest shareholders cannot recover . Hence, they cannot learn any information of the secret. Therefore, these two inequalities together ensure that fewer than shares cannot reveal any information of the secret.

5.2. Complexity Analysis

In this section, we analyze the complexity of our proposed scheme and compare it with the one in Shamir’s secret-sharing scheme. Regarding the share generation and distribution phase, in our proposed PSS scheme, each share consists of two univariate polynomials: one is degree in and the other is degree in . Therefore, coefficients in need to be transmitted from the dealer to each shareholder, and each shareholder needs to store these coefficients. The storage requirement for each shareholder is bits, where is the modulus. In Shamir’s secret-sharing scheme, each share is a single value in . Therefore, only one value in needs to be transmitted from the dealer to each shareholder, and the storage requirement for each shareholder is bits. Note that, when evaluating the polynomials, Horner’s algorithm can be used to reduce the computational cost in both our proposed scheme and in Shamir’s secret-sharing scheme.

Regarding the secret reconstruction phase, in step  1, each shareholder needs to compute pairwise shared keys with the other shareholders. Note that this step does not involve any interaction. Using Horner’s algorithm, evaluating the polynomials of degree and degree requires steps and steps, respectively, where each step consists of one multiplication and one addition. In step  2, each shareholder needs to compute . Since is the constant coefficient of the polynomial , there is no need to compute this value. Therefore, the computational cost of evaluating is identical to that in Shamir’s secret-sharing scheme. Finally, there are one-time pad encryptions in step  3 and one-time pad decryptions in step  4.

Based on the above analysis, the computational complexities are similar in both schemes. But, compared with Shamir’s secret-sharing scheme, more information needs to be transmitted and stored by each shareholder in our proposed scheme. The price is paid to achieve an additional property that the recovered secret is not revealed to nonshareholders. This property is desirable in many applications and our proposed scheme achieves it even if the adversaries have unlimited computational power. Although including a pairwise key establishment protocol [18, 28] with Shamir’s secret-sharing scheme can protect the secret from nonshareholders as well, most pairwise key establishment protocols are computationally secure (not information theoretically secure) and the complexity of key establishment protocol will have a quadratic relationship with the number of shareholders participating in the secret reconstruction phase.

5.3. Some Future Works

In the last three decades, many fascinating works about secret-sharing have been proposed in the literature, and different types of secret-sharing schemes can provide different properties. For example, verifiable secret-sharing (VSS) scheme [1517] not only allows the shareholders to verify the validity of their received shares in the share generation and distribution phase but also allows the verification of the revealed shares in the secret reconstruction phase. In proactive secret-sharing schemes [2931], shareholders can refresh their shares periodically without the dealer being involved, so that the shares obtained by the adversaries will become obsolete after the shares are updated. Moreover, the threshold can be dynamically adjusted when some shareholders join in or leave. In multiple secret-sharing schemes [3234], each shareholder can use her share to recover multiple secrets at different stages. In this paper, we have not considered these additional properties, and the existing secret-sharing schemes have not considered the issue of protecting the secret(s) from nonshareholders. Therefore, incorporating the ideas presented in this paper with these different types of secret-sharing schemes will be interesting, and we consider these further investigations as our future works.

6. Conclusion

A new type of secret-sharing, called protected secret-sharing (PSS), has been introduced in this paper. In a PSS scheme, the shareholders’ shares not only can be used to recover the secret but also can be used to protect the shares against nonshareholders in the secret reconstruction phase. A PSS scheme using a bivariate polynomial is proposed, and we provide security and complexity analysis of the proposed scheme. Some possible future works are also discussed in the paper. Note that our method is generic enough to be directly applied with threshold cryptosystems for the same purpose.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Authors’ Contributions

The authors have equal contribution to this paper.

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China (Grants nos. 61772224, 61601337, 61672398, and 61503289), the Key Natural Science Foundation of Hubei Province (Grant no. 2015CFA069), the Science and Technology Support Program of Hubei Province (Grants nos. 2015BAA120 and 2015BCE068), the Applied Fundamental Research of Wuhan (Grant no. 20160101010004), the Humanity and Social Science Youth Foundation of Ministry of Education of China (no. 15YJC870029), and the Research Planning Project of National Language Committee (no. YB135-40).